Day 27beginnerFeb 27, 2026

Securely Manage Secrets in GitHub Actions

One leaked API key can cost thousands — GitHub Actions secrets keep your credentials encrypted and safe.

cicdsecuritygithub-actions

What

GitHub Actions secrets let you store sensitive values like API keys, database passwords, and tokens securely. They're encrypted at rest, automatically masked in logs, and accessible in workflows via the secrets context. You can scope secrets to the entire repository or to specific deployment environments like staging and production.

Why It Matters

Hardcoding secrets in your code or workflow files is a security disaster waiting to happen. Anyone with read access to the repo can see them, and they end up in git history forever. GitHub Actions secrets provide encrypted storage with access controls, ensuring only your workflows can use them at runtime.

Example

# Step 1: Add secret in GitHub UI
# Settings > Secrets and variables > Actions > New repository secret
# Name: API_KEY  Value: sk-abc123...

# Step 2: Use in workflow
# .github/workflows/deploy.yml
name: Deploy
on:
  push:
    branches: [main]

jobs:
  deploy:
    runs-on: ubuntu-latest
    environment: production  # Uses environment-level secrets
    steps:
      - uses: actions/checkout@v4
      - name: Deploy to production
        run: |
          curl -X POST https://api.example.com/deploy \
            -H "Authorization: Bearer ${{ secrets.API_KEY }}" \
            -H "Content-Type: application/json"
        # Secret is masked as *** in logs automatically

yaml

Common Mistake

Echoing or logging secret values during debugging. Even though GitHub masks known secrets in logs, intermediate steps like writing secrets to files, passing them in URLs, or using them in error messages can leak them in plain text.

Quick Fix

Never echo secrets directly. If you must debug, use a hash check: echo "Hash: $(echo ${{ secrets.API_KEY }} | sha256sum | head -c 8)" to verify a secret is set without exposing its value.